Research on Cross-Border Protection of Personal Financial Information from the Perspective of China Civil Code ()
1. Introduction
With the rapid development of financial technologies such as digital currency, robo-advisor and big data technology, all countries are strengthening the construction of financial infrastructure, hoping to gain competitive advantages in the growth of the financial industry and thereby enhancing national strength. In the development of financial technology, big data is the basic means of production for its progress (Huang, 2023) . Using big data for the marketing, analysis and decision-making, these are indispensable links for the Fin Tech evolution. As a result, data plays a crucial role in Fin Tech. During the process of economic globalization, cross-border personal financial data issues inevitably arise between countries. What can’t be ignored is that there is a certain degree of complexity in the regulation of cross-border personal financial data protection issues. First of all, personal data may be collected in place A, processed in place B, stored in place C, then used in place D. The involvement of cross-border factors makes personal data protection issues become more complicated (Zhang, 2018) . Secondly, cross-border personal financial data issues refer to both domestic and foreign aspects. On the one hand, it requires the enactment of domestic laws and regulations; on the other hand, the regulation of cross-border personal financial data issues demands a certain consensus to be reached among countries. At the same time, in the context of major changes that have not been seen in a century, including the decoupling of China and the United States, Brexit and the rise of regional institutions, the foreign economic and trade policies of each country are affected by various theories such as a community with a shared future for mankind, new trade protectionism and the theory of comparative interests. Not to mention the differences in history, culture, international situation and regulatory rules between countries, all resulting in difficulties in the regulation of cross-border personal financial data. Finally, against such complex background, the emergence of the Civil Code of the People’s Republic of China (hereinafter referred to as “the Civil Code”) has had a huge impact on the regulation of cross-border personal financial information protection issues. On the basis of absorbing the legislative essence of various countries, this issue is adjusted in the Civil Code through private law. This behavior has an impact of acceleration, but it also has certain shortcomings.
To this end, the terminology of cross-border personal financial data is defined firstly in this article, and the current regulatory situation in China and the corresponding response of the Civil Code is sorted out. And then the shortcomings of the Civil Code in protecting cross-border personal financial data are analyzed. Eventually, corresponding improvement paths are proposed according to the research on combination of foreign legislation practice and China’s actual situation.
2. Terminology Determination of Cross-Border Personal Financial Data, China’s Public Law Regulations and Private Law Protection
2.1. Terminology Determination of Cross-Border Personal Financial Data
Before discussing the protection of cross-border personal financial information in China, we should clarify the definition of cross-border personal financial information protection. At present, there is no direct and clear definition, but similar definitions already exist to clarify its connotation. First of all, the definition of personal financial information has been clarified in China’s current legal system, that is: “personal information obtained, processed and stored by financial institutions through business development or other channels.” In this definition, we should clarify the following points: 1) “Personal” means personal financial information is not the same as financial information. The scope of financial information is broader than personal financial information, including personal financial information, corporate financial information and financial regulatory information, etc.; 2) “Finance” means that it must be a financial institution authorized by the state, including both banking financial institutions and non-banking financial institutions. 3) “Information” refers to various information recorded electronically or in other ways that can be used to identify a specific natural person alone or in combination with other information. In addition, cross-border personal financial information includes not only general personal financial information, but also personal financial privacy information.
In terms of the definition of cross-border, according to the 1980 OECD “Guidelines on Privacy Protection and Cross-border Flows of Personal Data”, cross-border data flow means: “Point to point digital data transfer across national and political boundaries” (Han, 2016) . Based on this definition, cross-border financial data flow is the financial data part of cross-border data flow, which is included in the concept of cross-border data flow. Although many scholars advocate that the concepts of information and data should be distinguished in academic realm, using a mix of them has become normal in the legislative practice of many countries. Therefore, the author believes that the concepts of information and data should refer to the same object. Cross-border data flow is essentially equivalent to cross-border information flow.
In summary, cross-border personal financial information indicates point-to-point data transmission across national and political boundaries. Especially the information obtained, processed and stored by financial institutions through business development or other channels.
2.2. Public Law Regulations in China: Unique Financial Regulatory System
In terms of cross-border personal financial information supervision, the current main laws and regulations in China contain: “Implementation Measures of the People’s Bank of China for the Protection of Financial Consumer Rights and Interests”, the “Notice of the People’s Bank of China on the Protection of Personal Financial Information by Banking Financial Institutions” (hereinafter referred to as the “Document No. 17”) and the “Data Governance Guidelines for Banking Financial Institutions” have established legal rules for cross-border personal financial information. There are two core regulatory logics in China: First, the flow of cross-border personal financial information must comply with the confidentiality obligations of customers in the first place, except for anti-money laundering and other laws and regulations related to public interests. The value of supervision lies in maintaining the balance between personal information protection and public interest; on the basis of complying with the general cross-border flow of personal information, the regulation of cross-border personal financial information must also comply with or should give priority to the special requirements of the financial regulatory authorities to adapt to the development characteristics of the financial industry. Up to now, the conditions for the export of personal financial data have not been clarified. In accordance with the “Cyber Safety Law”, security assessment must be carried out, which shows that the conditions for the export of personal financial data are more flexible, and there may also be uncertainty. At the same time, China’s data classification management system still needs to be refined and improved furtherly. For instance, in China’s “Guidelines of Financial Data Security and Data Security Classification” (JR/T 0197-2020) does not clarify what level of financial data can flow freely across borders (Guo & Liu, 2023) . To achieve financial digital transformation, the further evolution of China’s financial industry will inevitably require the improvement of legal regulations on financial data elements.
2.3. Private Law Protection in China: Response and Impact of the Civil Code
At a time of great changes unseen in a century, the promulgation of the Civil Code marks a comprehensive upgrade in governance capabilities as well as systems. It is a manifestation of the country’s soft power and a new height of legal civilization. The emergence of the Civil Code is conducive to global legal cooperation and enhances China’s strength, which is related to people’s livelihood and national destiny to a certain extent. The enactment of the Civil Code is a milestone of Chinese legal system. The independent codification of personality rights provides standards for defining public power of the boundaries of government and civil rights to a considerable degree. In order to respond to new problems arising from the development of information technology, the Civil Code also responds to personal information protection issues through the method of personality interests, which reflects humanistic care in the information age. The Civil Code is the first law named after a code in New China, which is a basic law for safeguarding the country’s basic economic system.
The “Civil Code” expands private remedies for cross-border personal financial information protection of citizens, and provides the possibility of tort liability. Hence it is conducive to individuals’ rights protection to mobilize individual enthusiasm, and is beneficial to the protection of personal financial information. In Articles 1032 to 1039 of the Civil Code, it is clarified that private information belongs to privacy and is a part of personal interests. In addition, the definition, classification, as well as processing principles and conditions of personal information is also clarified. The formulation of the above content refers to the legislative experience of the European Union’s “General Data Protection Regulation” in some degree. The internal logic is to protect the privacy rights of civil subjects by giving them certain personality interests. Furthermore, the privacy rights are regarded as a. part of maintaining personality dignity. To a certain extent, absorbing foreign legislative experience and practices is in favour of docking with foreign legislation, as well as the development of the global rule of law. The mater of personal information protection cannot be solved simply by conferring personal interests. The flow of personal information must also be considered, otherwise it will be detrimental to the development of information technology. Therefore, under the legislative concept of maintaining a balance between sharing and control, personal information is divided into private information and non-private information in the Civil Code. Regulating the problem of personal information through the dual regulation of privacy right in rights of personality and the priority of separate applicable laws, to make it possible to protect personal information through the method of private law.
3. The Limitations of the Civil Code on Cross-Border Personal Financial Information Protection Regulations
As mentioned above, the path of private remedies for cross-border personal information protection was explored through the Civil Code. Nonetheless, there are still following limitations:
3.1. Personal Financial Information Is Not Clearly Defined
The legal protection of personal financial information faces the problem of difficulty in defining personal financial privacy in judicial practice. As mentioned above, the definition of personal information is clarified in Article 1034 in the Civil Code, and is regulated in a dualistic method. It is stipulated that privacy provisions shall apply to private information of personal information, and other personal information shall be given priority separately to apply to other laws. In the Civil Code, this provision is demonstrated to provide an avenue for individuals to seek private remedies. When a natural person’s private and non-private information is violated, a lawsuit can be filed based on this provision. However, it is not clearly distinguished between private information and non-private information in the Civil Code, which will lead to some uncertainty in the application of the law. In addition, there are certain differences in the degree of legal protection for the private information and non-private information. In the process of utilizing Chinese law to cross-border civil litigation, there is a condition when a party claims that his or her personal information privacy rights have been violated. As a result of the Personal Rights Code not defining what private information is, there will be quite great space for legal disputes. The existent of a certain degree of uncertainty will in turn affect the protection of cross-border personal information. Furthermore, many countries and regions have relatively detailed regulations on what constitutes private information and what constitutes privacy rights. On account of the certainty of laws in other countries make it easier to clarify the boundaries of rights, the parties may be more inclined to choose the laws of other countries. Such behaviors will exclude the application of Chinese law in some degree and administer over relevant cases to a certain extent, which may undermine national sovereignty.
It is true that as a private law, there is certain limitation in the Civil Code for its scope of adjustment. It is impossible to directly determine what private information is and to make precise definitions of various types of private information. What constitutes personal financial privacy information needs to be clarified in other laws. However, we should also realize that the definition of private information in the Civil Code also has very positive significance for the protection of cross-border personal financial information. In fact, the definition of private information in the Civil Code is a standard, a method and also a guidance. It is conducive to the clarification of personal financial private information in financial law and is also beneficial for providing standards from a civil perspective for the protection of cross-border personal financial information. Hence, the Civil Code should state the concept of private information, which will cause a positive effect on the protection of different types of private information to a certain degree.
In summary, as a private law, the Civil Code has particular limitations in its scope and functions of adjustment. Thus it cannot adjust various types of legal relationships. Thereby, corresponding supporting mechanisms should be built in other legal departments to make corresponding provisions on the concept and classification of personal financial information. Furthermore, although the Civil Code is private law, as an important legal component of China, its functional positioning should not be limited to adjusting the legal relationships of private law. The division between public law and private law cannot completely separate the coordination and cooperation between laws. Instead, we should pay attention to the cooperation and integration between public and private law. The construction of the legal system by the Civil Code has an important impact on administrative law, international law and economic law. Another point is that, there are still a large number of private laws becoming public laws in the Civil Code. Consequently, combined with the current background, the clear definition of private information in the Civil Code is to the benefit of protecting cross-border personal financial information to a certain extent.
3.2. The Format Contract Led by Financial Institutions Does Not Comply with Substantive Justice
The format contracts led by financial institutions are harmful to the protection of personal financial information (Li, 2024) . The Civil Code provides two private law remedies for cross-border personal financial information protection, namely liability for breach of contract and liability for tort. However, the foundation on which the original legal system was established has quietly changed, and it is unable to solve emerging legal issues in some sense.
Regarding on the protection of cross-border personal financial information, although individuals and financial institutions are both formally equal civil subjects, there is a huge substantive inequality. Such imparity mainly reflects in the economic strength, negotiation ability, and technical capabilities of both parties. Financial institutions are specialize in using their absolute advantageous position to reduce their own obligations and increase the liabilities of the other party to a certain extent through the means of format contracts in the process of establishing civil relations with individuals, and make this process comply with legal regulations. The most significant negative value of format contracts is that it brings about the deviation between freedom of contract and contractual justice. The party with economical strength could exploit the weak in the name of freedom of contract, and the ensuing injustice becomes a tumor that haunts modern law (Yan, 2016) . Individuals cannot negotiate based on this, but can only choose to accept it or not. Once an individual chooses to accept it, his or her information rights may be legally infringed by the rules led by financial institutions. Even if an individual files a breach of contract or infringement lawsuit, it will be difficult to protect his or her rights during the litigation process. However, once an individual chooses not to accept it, one will be very likely to be ostracized by society, which is harmful to his or her daily activities in society. It turns out that personal freedom of consciousness expressing is eroded. Under the established contract rules led by financial institutions, no matter whether an individual chooses to sue for breach of contract or tort; since the financial institution has formulated corresponding standard contract terms, it is difficult for individuals to gain an advantage in winning the lawsuit.
Additionally, since the issue of cross-border personal financial information protection involves cross-border factors, in the actual process, individuals will also incur huge rights protection costs due to language, region and industry practices in different places. In consequence, there will be a huge gap between individuals and financial institutions, and it is difficult to protect one’s own rights and interests.
3.3. Individuals Have Trouble Obtaining Relief in Infringement Lawsuits
As has been said above, under the rules dominated by financial institutions, it is hard for individuals to gain the advantage of winning a lawsuit. However, even if an individual files an infringement lawsuit, it will not be easy to obtain corresponding relief. The legal construction of the original tort liability law was based on the traditional social life, but now social life has changed, and new tort liability rules need to be established to adapt to the development of the times. The Civil Code has no relevant provisions on this in the tort liability section. To this end, the academic community regarding the Civil Code seems to have reached the following consensus: 1) According to traditional tort law rules, individuals must bear the burden of proof for the basic facts of the existence of a legal relationship for tort liability. However, due to the disparity in strength and technical capabilities between individuals with government agencies and business entities, individuals have difficulties in proving subjective fault, causal relationship, losses and injury acts. If the basic rules of allocation of burden of proof are adhered to, then natural persons will be unable to obtain relief because they cannot prove the requirements for establishing tort liability (Ruan, 2020) ; 2) Because of the asymmetry in strength and technical capabilities between individuals with government agencies and business entities, it is necessary to implement oblique protection to Individuals, which is the logical starting point for constructing personal information protection rules in tort law; 3) Currently, there are two main methods to reduce an individual’s burden of proof: 1) Switching the burden of proof; 2) Presuming causal relationships; 3) Enact fixed compensation. In addition, some scholars have classified information infringement and proposed a three-dimensional regulation theory.
The above-mentioned academic consensus directly or indirectly clarifies that individuals may have difficulty in providing relief when faced with powerful transnational financial institutions and should receive preferential protection. This is proposed by scholars from the perspective of the improvement of the Civil Code, and is of great importance for individuals to provide private relief. However, these points of view are only from a private law perspective. In the process of cross-border personal information protection, there is still objective difficulties for individuals to provide private relief, which are specifically reflected in the following aspects: 1) Individuals are not very enthusiastic about safeguarding their own rights and interests, so it is unable to compensate their loss for the harm they have suffered through compensation and other means. In some circumstances, they may not have sufficient force to pursue a claim against the financial institution. When it comes to the protection of cross-border personal financial information, if the best result for an individual to engage in a lawsuit is to obtain a fixed amount of compensation, then this will undermine the positivity of private parties for relief. The costs that individuals spend on cross-border evidence collection, litigation and other necessary legal process are far greater than their rewards, so they can only let the infringement acts of financial institutions go unchecked; 2) Individuals do not have the ability to evaluate and identify. In many cases, they do not have the professional skills to determine the harm they have suffered, subject of infringement and causal relationship. Concerning the issue of cross-border personal financial information protection, the personal financial information protection standards of various countries are different, and it is often difficult for individuals to grasp it due to technical and language factors. The Civil Code is only a framework and way for individuals to provide private relief. Nevertheless, individuals still have difficulties in private relief that cannot be ignored, and corresponding legal mechanisms need to be constructed to cooperate and further respond.
4. Specific Path
As mentioned above, the Civil Code has certain limitations in the protection of cross-border personal financial information. It cannot comprehensively and effectively regulate such issues, but only provide corresponding paths for individuals to carry out private remedies. For this purpose, the construction of legal mechanisms can respond as follows to make up for the shortcomings of the Civil Code in a certain degree.
4.1. Clarify the Minimum Standards for Distinguishing Personal Financial Privacy Information from General Information
For now, China has introduced a series of normative documents on personal financial information. The main normative document “Technical Specifications for the Protection of Personal Financial Information” (hereinafter referred to as the “Specifications”) have clarified the definition, scope and classification of personal financial information. But the definition, type and classification of personal financial privacy information is still not clear. At present, the protection of personal information in judicial practice presents two models, represented by the “Continental Europe gradually develops personal information rights” and the “American privacy rights”. At the same time, some Chinese scholars also advocate choosing a path to protect personal information rights. The reason is: personal information rights and privacy rights are different in the delineation of right attributes, the demarcation of rights objects, the demarcation of rights content, and protection methods. The privacy right approach cannot fully protect the property interests and prevent the generating of property interest by the commercial use of personal information. On account of the independence and dominance of personal information, the right to personal information needs to be regarded as a specific personality right. On all accounts, the distinction between personal financial privacy and general personal financial information is valid. Among the contents stipulated in the “Specifications”, personal financial information is divided into three categories C3, C2, and C1 in order of the sensitive degree from high level to low level. And its basis is resulting influence and harm after suffering from unauthorized check or alternation. Interpreting and reconstructing the right to privacy can not only reconcile statutory legal norms in theory, but also maintain the legal stability (Zhao & Xiang Li, 2019) . Based on the existing classification and grading, the author believes that the difficulty of personal financial privacy information is that it is hard to distinguish personal financial privacy information from personal general information. The reason is that it is tough to directly determine the distinguishing standard between personal financial privacy information and personal financial general information. The truth is, the classification of personal financial information is uncertain about the boundary between personal financial privacy information and personal general information. For example, according to the classification standards, the user name for account login and information that directly reflects the financial status of the subject of personal financial information both belongs to the C2 category. But actually, the former one can hardly be recognized as personal financial privacy, because the user name used for the account login actually has no impact on the individual. Nevertheless, the latter one can be directly defined as personal financial privacy. The reason is that, the disclosure of such information may have a negative impact on individuals. As a consequence, the author believes that according to the current classification rules of the “Specifications”, C3 can be at least classified as personal financial privacy in the grading of personal financial information, and the part in C2 should be sorted as personal financial privacy. For instance, the key information used in financial products and services, information that directly reflects the financial status of the personal financial information subject, and collected photos, audio, video as well as other image information of personal financial information subject can be considered to be set as personal financial privacy. The remaining information together with C1 can be considered to be classified as personal financial general information. Enumeration and exhaustive methods can also be used in the clarification of personal financial privacy information. On the one hand, it’s helpful to clarify the types of personal financial privacy information. On the other hand, it contributes to fit in the changeable society, also leaves a certain space for the adaptability of the law.
4.2. Establish Corresponding Financial Contract Templates
When a standard contract is concluded, the maker takes advantage of his advantageous position to formulate clauses that are beneficial to himself but detrimental to the counter party. The counter party barely pays attention to or fully understands this clause, not to mention to change this clause. Such behavior causes damage to freedom of contract and contractual justice. Due to the existence of monopoly, the counter party actually has no other choice. Financial contract templates can effectively improve litigation efficiency. So it’s necessary to regulate this issue by formulating financial contract templates, that could be set as a soft law mechanism. It could serve as a demonstration for cross-border personal financial information protection issues, thereby reducing legal disputes and problems. When conducting financial business between individuals and financial institutions, the country’s legal bottom line must be followed on personal information protection regulations. Besides, financial institutions should also be prevented from abusing their advantageous position and using legal forms to collect massive amounts of personal financial information, which will lead to a large number of risk issues. Financial regulatory agencies can formulate a certain number of financial contract templates to make relevant provisions on issues such as the collection, processing, and sharing of cross-border personal financial information, as well as liability for breach of contract. The terms of the contract should be set up in accordance with the basic provisions of Chinese laws and regulations on the protection of cross-border personal information. The corresponding requirements, standards and responsibilities should be clearly defined for the way financial institutions handle personal information.
4.3. The Establishment of an Evaluation Mechanism Led by Financial Regulatory Agencies
Since the infringed party may face unequal status, the actual purpose of clarifying the minimum standard for personal financial privacy information is to reduce the litigation costs and the difficulty of proof in infringement lawsuits. However, such problems cannot be completely solved, and there are still uncertainties in the boundaries. It is believed to be a feasible solution to determine whether a certain type of information belongs to personal financial privacy information by building an evaluation mechanism.
First of all, the logical premise for setting up an evaluation mechanism is: 1) The status of the infringer and the infringed party may not be equal in civil litigation. If the infringer is a large financial institution but the infringed party is only a common individual, the infringed party can scarcely have the corresponding ability to obtain relief in civil litigation; 2) Professional knowledge and skills are required for a specialized evaluation mechanism, which is conducive to carrying out appraisal and evaluation work objectively, neutrally and comprehensively. 3) The assessment mechanism dominated by administrative agencies can ensure the consistency of policies and setting corresponding legal standards for judicial practice, which can effectively prevent inconsistencies between judicial practice and administrative policies in a way. 4) The evaluation mechanism serves more as an auxiliary mechanism rather than a preproceeding of litigation. The parties are free to choose whether to conduct the evaluation process. On the one hand, it will improve litigation efficiency and save public resources. The evaluation mechanism of financial supervision can determine the scope of financial privacy. In this case, the cost and difficulty of proof in judicial proceedings are reduced, consequently the litigation efficiency is improved. The evaluation mechanism should be consistent with privacy design theory, which advocates protecting personal information by proactive preventive methods. However the fair information practice principle is more inclined to passive remedies after the fact. On the other hand, the privacy design theory advocates the protection of personal information through comprehensive means such as law and technology, while the fair information practice principle is primarily a single legal protection (Zheng, 2018) .
Secondly, the main content of the evaluation mechanism is to help the infringed party lower its burden of proof and implement preferential protection for them. The evaluation details lies in the following aspects: 1) Distinguishing personal financial privacy and personal financial general information. 2) Determining the subject of the infringement and the infringement behavior. 3) Clarifying whether the infringer is at fault. 4) Recognizing whether the infringed party has a loss. 5) Illustrating whether there is a causal relationship between the infringement and the loss. The conclusion of the evaluation is more a kind of evidence in civil litigation without absolute legal effect. Whether the judicial authority accepts it or not should be based on the specific circumstances of the case.
Finally, the evaluation mechanism should be set up by the financial regulatory agencies who have certain professional capabilities. One side, they can conduct professional assessments in the face of such issues; on the other side, it is conducive to optimizing their regulatory experience and improving financial regulatory policies. Financial regulatory agencies can also establish certain compliance standards. The infringer who does not meet the corresponding standard may be convicted of infringement.
5. Conclusion
The Civil Code provides an approach of private relief for cross-border personal financial information protection. Even so it is often tough for individuals to use this means to carry out private relief effectively. Due to the lack of relevant supporting legal enforcement mechanisms, individuals can hardly obtain effective legal remedies by suing for infringement or breach of contract through the Civil Code, which ultimately leads to damage to personal information rights. The protection of personal financial information requires the cooperation of multiple laws to achieve good legal effects. The gap between departmental laws will not make it easy to effectively respond to personal financial information protection issues. Hence, breaking down the barriers between departmental laws and adopting responsive legal regulation methods is the key to solve the problem of personal financial information protection. For this purpose, the establishment of supporting mechanisms for the implementation of relevant laws can assist the Civil Code to play a better role, which will accelerate solving the problem of cross-border personal financial information protection. To establish a supporting legal enforcement mechanism for the protection of cross-border personal financial information, the principle of tilted protection needs to follow. The implementation of “inclined protection” is conducive to clarifying the scope of individual rights. Meanwhile, the boundaries between government power and the rights of financial institutions could also be illustrated to prevent individual rights from being infringed upon by financial institutions or the government. Moreover, the supporting mechanism for legal implementation should be in line with the rules and characteristics of the financial industry. Corresponding institutional rules, evaluation standards and processing methods should be constructed according to the particularity of the financial industry, so as to address the legal issues regarding the protection of cross-border personal financial information specifically.
Funding
This paper is one of the results of the project “Research on coordinated regulation of cross-border data flow from the perspective of international soft law” (202375) sponsored by “the Postgraduate Innovative Research Fund” of University of International Business and Economics.